Date: Tue, 26 Feb 2008 16:31:27 +0000 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: Mel <fbsd.questions@rachie.is-a-geek.net>, freebsd-questions@freebsd.org Subject: SOLVED: Re: IPMON log to syslog doesn't work Message-ID: <20080226163127.GA88231@mech-aslap33.men.bris.ac.uk> In-Reply-To: <20080226150113.GA87235@mech-aslap33.men.bris.ac.uk> References: <20080226132032.GA86468@mech-aslap33.men.bris.ac.uk> <200802261509.14823.fbsd.questions@rachie.is-a-geek.net> <20080226142537.GA87016@mech-aslap33.men.bris.ac.uk> <200802261542.52179.fbsd.questions@rachie.is-a-geek.net> <20080226150113.GA87235@mech-aslap33.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 26, 2008 at 03:01:13PM +0000, Anton Shterenlikht wrote: > On Tue, Feb 26, 2008 at 03:42:51PM +0100, Mel wrote: > > On Tuesday 26 February 2008 15:25:37 Anton Shterenlikht wrote: > > > On Tue, Feb 26, 2008 at 03:09:14PM +0100, Mel wrote: > > > > On Tuesday 26 February 2008 14:20:32 Anton Shterenlikht wrote: > > > > > I'm trying to troubleshoot my ipfilter firewall, and I cannot get any > > > > > log data, i.e. /var/log/ipfilter.log is empty. > > > > > > > > Does: > > > > # logger -p security.notice test > > > > put anything in the log? > > > > > > yes: > > > > > > # logger -p security.notice test > > > # cat /var/log/ipfilter.log > > > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over > > > Feb 26 14:17:07 mech-cluster238 mexas: test > > > # cat /var/log/security > > > Jul 20 10:52:47 newsyslog[463]: logfile first created > > > Feb 26 14:17:07 mech-cluster238 mexas: test > > > # > > > > > > so what does this mean? > > > > That syslog works correctly and it's really ipmon. Are you sure it's running? > > How about ipmon -s (without the -D), does that turn up in syslog? > > # ipmon -s& > [1] 23892 > # ps ax | grep ipmon > 23892 p0 S 0:00.11 ipmon -s > 23908 p0 R+ 0:00.00 grep ipmon > # > > but the logs are still empty: > > # cat /var/log/ipfilter.log > Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over > Feb 26 14:17:07 mech-cluster238 mexas: test > # cat /var/log/security > Jul 20 10:52:47 newsyslog[463]: logfile first created > Feb 26 14:17:07 mech-cluster238 mexas: test > # > > however: > > # ipmon -D > 26/02/2008 14:49:59.202056 3x dc0 @0:1 b 137.222.187.22,1004 -> 255.255.255.255, > 1004 PR udp len 20 67 IN broadcast > 26/02/2008 14:50:13.064314 2x dc1 @0:1 b 10.10.10.7,520 -> 10.10.10.255,520 PR u > dp len 20 72 IN broadcast > ^C > # > > Perhaps I should play with other ipmon flags as well? I solved it following the IPF FAQ: http://www.phildev.net/ipf/IPFipmon.html#ipmon1 Q. I have IPMon logging to syslog, but syslog doesn't log anything, why not? A. IPF logs as local0 so you'll want something to the effect of: local0.debug /var/log/ipf.log in your syslog.conf. NOTE: There has to be atleast one TAB in that line, not just spaces. so I changed "security.*" to "local0.*" in /etc/syslog.conf: # grep local0 /etc/syslog.conf local0.* /var/log/ipfilter.log # and now I have (lots) of logs in the log file: # tail -2 /var/log/ipfilter.log Feb 26 16:20:05 mech-cluster238 ipmon[24166]: 16:20:05.248083 2x dc0 @0:20 b 137 .222.187.85,137 -> 137.222.187.255,137 PR udp len 20 78 IN broadcast Feb 26 16:20:07 mech-cluster238 ipmon[24166]: 16:20:06.876597 dc0 @0:21 b 137.22 2.187.10,138 -> 137.222.187.255,138 PR udp len 20 212 IN broadcast # # ls -al /var/log/ipfilter.log -rw-r----- 1 root wheel 74889 26 Feb 16:21 /var/log/ipfilter.log # But now I wonder if the FBSD handbook has an error in section 28.5.7 IPMON Logging: "Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file" Shall I submit this as a manual error, or is it more complex? thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 928 8233 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080226163127.GA88231>